Hi folks, I have small issue accessing my internal lab as wanted.

The setup is like this:
The mikrotik gw can be accessed via ssh on port 22 over its public IP. External client XXX can login into mikrotik gw without problems. The internal lab, yellow box, is 192.168.100.0/24. Mikrotik GW on NIC eth1 can reach and can be reached by internal hosts.

The needed way to access the internal lab:
On external client XXX I want to receive everything the NIC eth1 of mikrotik gw receives. For example, I want to execute on external client XXX:
tcpdump -i eth0; interface eth0 should receive the packets from yellow box i.e internal lab only, as if NIC eth0 is eth1 of GW.
Meaning, I need a logical or virtual NIC interface in yellow box which is accessable over public ssh of GW.
So what can I configure on mikrotik GW?
Thanks

https://help.mikrotik.com/docs/display/ROS/NAT

I know this, but port forwarding does not deliver the functionality I want. I want to create/have virtual interface for internal lab on GW which is accessable on external client XXX

I don't think you can do that. Even if you'd have e.g. EoIP tunnel and bridged it with GW's eth1, so client would be direct part of L2 segment, it would be like a switch and not everything would go to client. But if you want to capture packets, RouterOS has packet sniffer and it allows to stream captured packets to another device using TZSP.

Maybe https://wiki.mikrotik.com/wiki/Manual:IP/SSH

For the "connecting to router" part, yes. For "being member of internal network", no.

I was actually thinking of ssh tunneling to access inside the network, which is what I thought the request was about but I misread some of the OP requirements.

Dedicate a PC on the lab network that can be accessed via something like TeamViewer / VNC / Remote Desktop / etc. Run WireShark (or an equivalent) on that PC.
May want to have two NICs on that PC and use the second one for the remote access on a separate network so the WireShark capture is not seeing the remote session traffic.

Dedicate a PC on the lab network that can be accessed via something like TeamViewer / VNC / Remote Desktop / etc. Run WireShark (or an equivalent) on that PC.
May want to have two NICs on that PC and use the second one for the remote access on a separate network so the WireShark capture is not seeing the remote session traffic.

currently, i cant do that. I have only SSH access over public IP, thats it.

I don't think you can do that. Even if you'd have e.g. EoIP tunnel and bridged it with GW's eth1, so client would be direct part of L2 segment, it would be like a switch and not everything would go to client. But if you want to capture packets, RouterOS has packet sniffer and it allows to stream captured packets to another device using TZSP.

It is sufficent to receive layer 3 broadcast packets. Currently LAN and OVPN are in the same IP range. Meaning, LAN 1.2.3.1-150, VPN: 1.2.3.151-250. VPN gateway is 1.2.3.151, VPN clients are 1.2.3.152-250. VPN clients can talk to LAN client without problem, what now I need is, that VPN gateway to "route" all incoming layer3 broadcasts. So, Im stuck here.

That sounds familiar, it's you from the other thread! I suggest to not do that, it doesn't help to spread info over different places.

As was already suggested there by @jwreno, OpenVPN in L2 mode seems like what you're looking for. I didn't use it for years, but you should be able to add clients to bridge and it will be fully transparent, as if they were connected using switch.